Cyber Resilience

CVE-2025-57156

HighPublic PoC

Published: 20 January 2026

Published
20 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0039 60.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57156 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 39.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2025-57156 is a NULL pointer dereference vulnerability in the dacp_reply_playqueueedit_clear function within src/httpd_dacp.c of owntone-server, affecting the software through commit 6d604a1, a newer commit after version 28.12. Published on 2026-01-20, this issue falls under CWE-476 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high-impact potential on availability without compromising confidentiality or integrity.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required, triggering the NULL pointer dereference to crash the owntone-server process and cause a denial of service.

Mitigation is addressed in commit 5e4d40ee03ae22ab79534bb1410fa9db96c9fabd on the owntone-server GitHub repository. Further details on the vulnerability and remediation are provided in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md and GitHub issue #1907 at https://github.com/owntone/owntone-server/issues/1907.

EU & UK References

Vulnerability details

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference enables remote unauthenticated exploitation to crash the server process, directly matching application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-57155Same product: Owntone Owntone Server
CVE-2025-63647Same product: Owntone Owntone Server
CVE-2025-63648Same product: Owntone Owntone Server
CVE-2026-40413Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2026-25795Shared CWE-476
CVE-2026-33282Shared CWE-476

Affected Assets

owntone
owntone server
≤ 28.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the NULL pointer dereference by requiring timely remediation through patching as provided in commit 5e4d40ee.

prevent

Validates information inputs to the dacp_reply_playqueueedit_clear function in httpd_dacp.c to prevent malformed remote requests from triggering the NULL dereference.

prevent

Protects against the unauthenticated remote denial-of-service attack by limiting the effects of crashes through traffic filtering or rate limiting.

References